A conventional authentication token is an apparatus which creates one-time passcodes (OTPs) for use in authenticating a user to an authentication entity. To this end, the user may press a button of the authentication token. The authentication token then derives a OTP from a seed (or encryption key), and displays the OTP on a display to the user.
In the context of authentication tokens which employ time-based algorithms, the OTP is valid for only a limited time period (e.g., one minute). If the user provides the OTP to the authentication entity within this time period, the authentication entity responds with positive authentication. However, if the user provides the OTP to the authentication entity after the time period expires, the authentication entity refuses to positively authenticate the user and the user must provide a new OTP from the authentication token to the authentication entity in order to properly authenticate with the authentication entity. Accordingly, even if an unauthorized person obtains a OTP, the OTP automatically becomes invalid after the time period elapses.
Some conventional authentication tokens have designated lifetimes of more than one year (e.g., three years). Upon expiration of an authentication token's lifetime, the authentication entity refuses to authenticate the user based on any further OTPs from that authentication token, and the user must obtain a new authentication token from the authentication service administrator.